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Abstract 

In this paper we combine Answer Set Programming (ASP) with Dynamic Linear Time 
Temporal Logic (DLTL) to define a temporal logic programming language for reasoning 
about complex actions and infinite computations. DLTL extends propositional temporal 
logic of linear time with regular programs of propositional dynamic logic, which are used 
for indexing temporal modalities. The action language allows general DLTL formulas to be 
included in domain descriptions to constrain the space of possible extensions. We introduce 
a notion of Temporal Answer Set for domain descriptions, based on the usual notion of 
Answer Set. Also, we provide a translation of domain descriptions into standard ASP and 
we use Bounded Model Checking techniques for the verification of DLTL constraints. 

KEYWORDS: Answer Set Programming, Temporal Logic, Bounded Model Checking. 



1 Introduction 

Temporal logic is one of the main tools used in the verification of dynamic systems. 
In the last decades, temporal logic has been widely used also in AI in the context 
of planning, diagnosis, web service verification, agent interaction and, in general, 
in most of those areas having to do with some form of reasoning about actions. 

The need of temporally extended goals in the context of planning has been first 
motivated in (jBacchus and Kabanza 1998|IKabanza et al. 1997([Giunchiglia and Traverso 19991 ). 
In particular, ( [Giunchiglia and Traverso 1999[ ) developed the idea of planning as 
model checking in a temporal logic, where the properties of planning domains are 
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formalized as temporal formulas in CTL. In general, temporal formulas can be use- 
fully exploited both in the specification of a domain and in the verification of its 
properties. This has been done, for instance, for modeling the interaction of services 
on the web (jPistore et al. 2005| . as well as for the specification and verification of 
agent communication protocols (jGiordano et al. 2007p . Recently, Clai3en and Lake- 
meyer ( Clafien and Lakemeyer 2008 ) have introduced a second order extension of 
the temporal logic CTL*, ESQ, to express and reason about non-terminating Golog 
programs. The ability to capture infinite computations is important as agents and 
robots usually fulfill non-terminating tasks. 

In this paper we combine Answer Set Programming (ASP) (jCelfond 2007^ with 
Dynamic Linear Time Temporal Logic (DLTL) ( [Henriksen and Thiagarajan 1999| 
to define a temporal logic programming language for reasoning about complex ac- 
tions and infinite computations. DLTL extends propositional temporal logic of lin- 
ear time with regular programs of propositional dynamic logic, which are used for 
indexing temporal modalities. Allowing program expressions within temporal for- 
mulas and including arbitrary temporal formulas in domain descriptions provides 
a simple way of constraining the (possibly infinite) evolutions of a system, as in 
Propositional Dynamic Logic (PDL). To combine ASP and DLTL, we define a tem- 
poral extension of ASP by allowing temporal modalities to occur within rules and 
we introduce a notion of Temporal Answer Set, which captures the temporal dimen- 
sion of the language as a linear structure and naturally allows to deal with infinite 
computations. A domain description consists of two parts: a set of temporal rules 
(action laws, causal laws, etc.) and a set of constraints (arbitrary DLTL formulas). 
The temporal answer sets of the rules in the domain description which also satisfy 
the constraints are defined to be the extensions of the domain description. 

We provide a translation into standard ASP for the temporal rules of the do- 
main description. The temporal answer sets of an action theory can then be com- 
puted as the standard answer sets of the translation. To compute the extensions 
of a domain description, the temporal constraints are evaluated over temporal 
answer sets using bounded model checking techniques (jBiere et al. 2003)) . The ap- 
proach proposed for the verification of DLTL formulas extends the one developed in 
( [Heljanko and Niemela 2003 ) for bounded LTL model checking with Stable Models. 

The outline of the paper is as follows. In Section 2, we recall the temporal logic 
DLTL. In Section 3, wc introduce our action theory in temporal ASP. In Section 4, 
we define the notions of temporal answer set and extension of a domain description. 
Section 5 describes the reasoning tasks, while Sections 6 and 7 describe the model 
checking problem and provide a translation of temporal domain descriptions into 
ASP. Section 8 is devoted to conclusions and related work. 



2 Dynamic Linear Time Temporal Logic 

In this section we briefly deflne the syntax and semantics of DLTL as introduced 
in ( jHenriksen and Thiagarajan 1999| . In such a linear time temporal logic the next 
state modality is indexed by actions. Moreover (and this is the extension to LTL), 
the until operator is indexed by a program tt as in PDL. In addition to the usual 
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□ (always) and O (eventually) temporal modalities of LTL, new modalities [tt] and 
(tt) are allowed. Informally, a formula [7r]a is true in a world w oi a linear temporal 
model (a sequence of propositional interpretations) if a holds in all the worlds of 
the model which are reachable from w through any execution of the program tt. A 
formula (7r)a is true in a world w of a linear temporal model if there exists a world 
of the model reachable from w through an execution of the program tt, in which 
a holds. The program tt can be any regular expression built from atomic actions 
using sequence (;), nondeterministic choice (+) and finite iteration (*). The usual 
modalities □, O and Q (next) of LTL are definable. 

Let E be a finite non-empty alphabet representing actions. Let S* and Yj^ be the 
set of finite and infinite words on E, and let Yj°° =E* U E"^. We denote by cr, a' the 
words over S'^ and by r, t' the words over E*. For u G T,°°, we denote by prf(u) 
the set of finite prefixes of u. Moreover, we denote by < the usual prefix ordering 
over E* namely, r < r' iff 3t" such that tt" = t', and t < t' iff t < t' and t ^ t' . 

The set of programs (regular expressions) Prg{Yj) generated by E is: 

Prg{Y) ::= a | tti + 7r2 | 7ri;7r2 | tt*, 

where a G E and 7ri,7r2,7r range over Prg{Yi). A set of finite words is associated 
with each program by the mapping [[]] : Prg{Y,) 2^ , which is defined as follows: 

• M - {«}; 

• [[tti +7r2]] = [[tti]] U [[7r2]]; 

• [[7ri;7r2]] = {tiT2 I Ti e [[tti]] aud T2 e [[7r2]]}; 

• [[^*]] = Ulki], where 

— [[tt'+^J] = {tiT2 I Ti £ [[tt]] and T2 £ [[tt']]}, for every i G w 

where e is the empty word (the empty action sequence). 

Let V — {pi,p2, ■ • ■} be a countable set of atomic propositions containing T and 
_L (standing for true and false), and let DLTL(E) ::= p [ -la | a V /3 | aU^ f3, where 
p G V and a, fi range over DLTL(E). 

A model of DLTL(E) is a pair M = (cr, V) where cr G E" and : prf{a) 2^ 
is a valuation function. Given a model M ~ (cr, V), a finite word t G prf{a) and a 
formula a, the satisfiability of a formula a at t in A/, written A/, t ^ a, is defined 
as follows: 

• A/, T h T; 

• A/, T ^ ±; 

• M,T^piSpe F(t); 

• M, T ^ -.a iff A/, T ^ a; 

• A4", T ^ a V /? iff Af , T a or M, t |= /3; 

• A4", T ^ aW(3 iff there exists t' G [[tt]] such that tt' G prf{a) and Af , tt' ^ /3. 
Moreover, for every t" such that e < t" < t', A-f, tt" |= a. 

A formula a is satisfiable iff there is a model A/ ~ (cr, F) and a finite word t G prf{a) 
such that Af , t |= a. The formula aW^ (3 is true at t if "a until /3" is true on a finite 
stretch of behavior which is in the linear time behavior of the program tt. 
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The classical connectives D and A are defined as usual. The derived modalities (tt) 
and [tt] can be defined as follows: (7r)a = TW^a and [vrja = -i(7r)-ia. Furthermore, if 
we let S = {ai, . . . , a„}, the U (until), Q (next), O and □ operators of LTL can be 

defined as follows: Qq^ = VasE^^)'^' cdA (i = aU^' (3 , <>a = TUa, Da = -lO-ia, 
where, in , E is taken to be a shorthand for the program ai + . . . + a„. Hence, 
LTL(I]) is a fragment of DLTL(E). As shown in ( [Henriksen and Thiagarajan 1999 1, 
DLTL(E) is strictly more expressive than LTL(E). In fact, DLTL has the full ex- 
pressive power of the monadic second order theory of w-sequences. 

3 Action theories in Temporal ASP 

Let P be a set of atomic propositions, the fluent names. A simple fluent literal I 
is a fluent name / or its negation -if . Given a fluent literal I, such that I ~ f or 
I = -i/; we define |^| ~ f. We denote by Lits the set of all simple fluent literals and, 
for each I £ Lits, we denote by I the complementary literal (namely, p = -ip and 
^ = p). Litx is the set of temporal fluent literals: if / S Lits, then [a\l, Ql £ Litx 
(for a e E). Let Lit = Lits U LitT U {^}- Given a (temporal) fluent literal /, not I 
represents the default negation of L A (temporal) fluent literal, possibly preceded 
by a default negation, will be called an extended fluent literal. 

A state is a set of fluent literals in Lits. A state is consistent if it is not the case 
that both / and -i/ belong to the state, or that _L belongs to the state. A state is 
complete if, for each fluent name p G V, either p or -ip belongs to it. The execution 
of an action in a state may possibly change the values of fluents in the state through 
its direct and indirect effects, thus giving rise to a new state. 

Given a set of actions E, a domain description D over E is defined as a tuple 
(II, C), where 11 is a set of laws (action laws, causal laws, precondition laws, etc.) de- 
scribing the preconditions and effects of actions, and C is a set of DLTL constraints. 
While n contains the laws that are usually included in a domain description, which 
define the cxecutability conditions for actions, their direct and indirect effects as 
well as conditions on the initial state, C contains general DLTL constraints which 
must be satisfied by the intended interpretations of the domain description. While 
the laws in H define conditions on single states or on pairs of consecutive states, 
DLTL constraints define more general conditions on possible sequences of states 
and actions. Let us first describe the laws occurring in H. 

The action laws describe the immediate effects of actions. They have the form: 

□ ([a]Zo <- ii, . . ■,tm,not t^+i, ...,not t„) (1) 

where /q is a simple fluent literal and the t^'s are cither simple fluent literals or 
temporal fluent literals of the form [a\l. Its meaning is that executing action a in 
a state in which the conditions ti, . . . ,tm hold and conditions tm+i, ■ ■ ■ ,tn do not 
hold causes the effect Iq to hold. Observe that a temporal literal [a]l is true in a 
state when the execution of action a in that state causes I to become true in the 
next state. For instance, the following action laws describe the deterministic effect 
of the actions shoot and load for the Russian Turkey problem: 

0([shoot]^alive <— loaded) 
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n[load]loaded 

Non deterministic actions can be defined using default negation in the body of 
action laws. In the example, after spinning the gun, it may be loaded or not: 

n([spin\loaded not [spin]-iloaded) 
n{\spin\-^loaded ^ not [spin\loaded) 

Observe that, in this case, temporal fluent literals occur in the body of action laws. 

Causal laws are intended to express "causal" dependencies among fluents. In 11 
we allow two kinds of causal laws. Static causal laws have the form: 

□ (^0 ^ ^1, . . . , lm,not Im+i, ...,not In) (2) 

where the liS are simple fluent literals. Their meaning is: if ^i, ... , Im hold in a state 
and lm+l^ ■ ■ ■ ,ln do not hold in that state, than is caused to hold in that state. 
Dynamic causal laws have the form: 

^iOk ^h,-- ■,tm,not tjn+i, ....not t„) (3) 

where /q is a simple fluent literal and the t.^'s are either simple fluent literals or 
temporal fluent literals of the form QU- Their meaning is: if ti, . . . ,tm hold and 
tm+i, ■ ■ ■ ,tn do not hold in a state, then Iq is caused to hold in the next state. 
Observe that ti = QU holds in a state when li holds in the next state. 

For instance, the static causal law D(^frightened <— insight, alive) states that 
the turkey being in sight of the hunter causes it to be frightened, if it is alive; alter- 
natively, the dynamic causal law n{Q frightened Q}in_sight,-iin sight, alive) 
states that if the turkey is alive, it becomes frightened (if it is not already) when 
it starts seeing the hunter; but it can possibly become non-frightened later, due to 
other events, while still being in sight of the huntci0. 

Besides action laws and causal laws, that apply to all states, we also allow for 
laws in 11 that only apply to the initial state. They are called initial state laws 
and have the form: 

^0 ^ ^1, ■ • ■ , Im, not Im+i, • • • , not In (4) 
where the Ws are simple fluent literals. Observe that initial state laws, unlike static 
causal laws, only apply to the initial state as they are not prefixed by the □ modality. 
As a special case, the initial state can be defined as a set of simple fluent literals. For 
instance, the initial state {alive, -^insight, -^frightened} is defined by the initial 
state laws: 

alive -^insight -^frightened 

Given the laws introduced above, all the usual ingredients of action theories can 
be introduced in 11. In particular, let us consider the case when _L can occur as a 
literal in the head of those laws. 



^ Shorthands Ukc those in l|Denecker et al. 1998[l could be used, even though wo do not introduce 
them in this paper, to express that a fluent or a complex formula is initiated (i.e., it is false in 
the current state and caused true in the next one). 
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Precondition laws are special kinds of action laws ([T]) with _L as effect. They 
have the form: 

□ ([a] /i, . • . , lm,not Im+i, ■ ■ ■ ^not /„) 
where a G S and the Z^'s are simple fluent literals. The meaning is that the execution 
of an action a is not possible in a state in which Zi, . . . , hold and Im+i, ■ ■ ■ ,ln do 
not hold (that is, no state may result from the execution of a in a state in which 
li, . . . ,lm hold and Im+i, ■ ■ ■ ,ln do not hold). 

State constraints that apply to the initial state or to all states can be obtained 
when _L occurs in the head of initial state laws ([4]) or static causal laws ([2]): 

± ^ /l, . . . , Im^not l,n+l, ■ ■ ■ ,not In 

□ (_L ^ ^1, . . . , /,„, not Im+i, ■ ■ ■ ,not In) 

The first one means that it is not the case that, in the initial state, Zi, . . . , hold 
and Im+i, do not hold. The second one means that there is no state in which 
li, . . . ,lm hold and Im+i, ■ ■ ■ ,ln do not hold. 

As in (ILifschitz 1990P we call frame fluents those fluents to which the law of 
inertia applies. The persistency of frame fluents from a state to the next one can 
be enforced by introducing in 11 a set of laws, called persistency laws, 

□(O./^/, "0^0-/) 

□(O-/^-./, not Of) 

for each simple fluent / to which inertia applies. Their meaning is that, if / holds 
in a state, then / will hold in the next state, unless its complement -i/ is caused 
to hold. And similarly for -if. Note that persistency laws are instances of dynamic 
causal laws ([3]). In the following, we use inertial f as a shorthand for the persistency 
laws for /. 

The persistency of a fluent from a state to the next one is blocked by the execution 
of an action which causes the value of the fluent to change, or by a nondeterministic 
action which may cause it to change. For instance, the persistency of ^loaded is 
blocked by load and by spin. 

Examples of non-inertial fluents, for which persistency laws are not included, are 
those taking a default truth value, as for a spring door which is normally closed: 

disclosed ^ not-iclosed) 

or those which always change, at least by default, e.g., in case of a pendulum (see 
( [Giunchiglia et al. 2004[ )) always switching between left and right position: 

0(Qright -right, not Q ~^right) 
0[Q)~'right ^ right, not Q right) 

Such default action laws play a role similar to that of inertia rules in C ( [Giunchiglia and Lifschitz 1998[ ) 
C+ dCiunchigha et al. 2004D and JC (|Eiter et al. 2004|) . 

Initial state laws may incompletely specify the initial state. In this paper we 
want to reason about complete states so that the execution of an infinite sequence 
of actions gives rise to a linear model as defined in section 2. For this reason, we 
assume that, for each fluent /, 11 contains the laws: 
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f ■h- not -^f 
^ not f 

As we will see later, this assumption in general is not sufBeient to guarantee that 
all the states are eomplete. 

Test actions, useful for ehecking the value of a fluent in a state in the definition 
of complex actions, can be defined through suitable laws as follows. Given a simple 
fluent literal / € Lits, the test action I? is executable only if / holds, and it has no 
effect on any fluent /: 

□ ^ not I) 

^mu ^ f) 

^ -/) 

The second component of a domain description is the set C of DLTL con- 
straints, which allow very general temporal conditions to be imposed on the ex- 
ecutions of the domain description (we will call them extensions). Their effect is 
that of restricting the space of the possible executions. For instance, the constraint: 

-iloaded lA in^sight 

states that the gun is not loaded until the turkey is in sight. Its addition filters out 
all the executions in which the gun is loaded before the turkey is in sight. 

A temporal constraint can also require a complex behavior to be performed. The 
program 

{-lin^sightl; wait)*; in_sight7; load; shoot (5) 

describes the behavior of the hunter who waits for a turkey until it appears and, 
when it is in sight, loads the gun and shoots. Actions insight! and -linsightl are 
test actions, as introduced before. If the constraint 

{(-linsightl; wait)*; insight?; load; shoot)T 

is included in C then all the runs of the domain description which do not start with 
an execution of the given program will be filtered out. For instance, an extension in 
which in the initial state the turkey is not in sight and the hunter loads the gun and 
shoots is not allowed. In general, the inclusion of a constraint (7r)T in C requires 
that there is an execution of the program tt starting from the initial state. 

Example 1 

Let us consider a variant of the Yale shooting problem including some of the laws 
above, and some more stating that: if the hunter is in sight and the turkey is alive, 
the turkey is frightened; the turkey may come in sight or out of sight (nondeter- 
ministically) during waiting. 

Let E = {load, shoot, spin, wait} and V = {alive, loaded, insight, frightened} . 
We define a domain description (11, C), where 11 contains the following laws: 

Immediate effects: 

U[[shoot\-^alive loaded) n\load\loaded 

^{[spin\loaded not[spin\-iloaded) \^{[spin\-^loaded not[spin]loaded) 
0[[wait]in sight ■(— not[wait]-iin sight) 0{jwait]-iinsight ■(— not[wait]in sight) 
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Causal laws: n[f Tightened <— in^sight, alive) 

Initial state laws: alive -^in_sight -^frightened 

Precondition laws: □([^oad] loaded) 
All fluents in V are inertial: inertial alive, inertial loaded, inertial in_sight, in- 
ertial frightened; and C = {-^loadedU insight}. 

Given this domain description we may want to ask if it is possible for the hunter 
to execute a behavior described by program tt in ([5]) so that the turkey is not alive 
after that execution. The intended answer to the query {■K)^alive would be yes, 
since there is a possible scenario in which this can happen. 

Example 2 

In order to see that the action theory in this paper is well suited to deal with infinite 
executions, consider a mail delivery agent, which repeatedly checks if there is mail 
in the mailboxes of a and h and then it delivers the mail to a or to fe, if there is 
any; otherwise, it waits. Then, the agent starts again the cycle. The actions in S 
are: begin, sense jnnail[a) (the agent verifies if there is mail in the mailbox of a), 
sense -mail [b), deliver[a) (the agent delivers the mail to a), deliver{b), wait (the 
agent waits). The fluent names are mail{a) (there is mail in the mailbox of a) and 
mail{b). The domain description contains the following laws for a: 
Immediate effects: 

0[deliver{a)]^mail{a) 

0[[sensejnail{a)]mail{a) not [sensejmail{a)]^mail{a)) 
Precondition laws: 

0([deliver{a)] -imail{a)) 
□ ([liiaif] ±-<— mail(a)) 

Their meaning is (in the order) that: after delivering mail to a, there is no mail 
for a anymore; the action sense jmail{a) of verifying if there is mail for a, may 
(non-monotonically) cause mail{a) to become true; in case there is no mail for a, 
deliver{a) is not executable; in case there is mail for a, wait is not executable. The 
same laws are also introduced for the actions involving b. 

All fluents in V are inertial: inertial mail(a), inertial mail(b). Observe that, the 
persistency laws for inertial fluents interact with the immediate effect laws above. 
The execution of sense jmail(a) in a state in which there is no mail for a {-'mail{a)), 
may either lead to a state in which mail{a) holds (by the second action law) or to 
a state in which -^mail{a) holds (by the persistency of -imail{a)). 
C contains the following constraints: 

{hegin)~[ 

0[begin]{sense{a); sense{b); {deliver{a) + deliver{b) + wait); begin)T 

The first one means that the action begin must be executed in the initial state. The 
second one means that, after any execution of action begin, the agent must execute 
sense{a) and sense(b) in the order, then either deliver the mail to a or to 6 or wait 
and, then, execute action begin again, to start a new cycle. 
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We may want to check that if there is mail for 6, the agent will eventually de- 
liver it to h. This property, which can be formalized by the formula n{rnail{h) D 
O^mail^b)), does not hold as there is a possible scenario in which there is mail for 
6, but the mail is repeatedly delivered to a and never to b. The mail delivery agent 
we have described is not fair. 



Example 3 

As an example of modeling a controlled system and its possible faults, we describe 
an adaptation of the qualitative causal model of the "common rail" diescl injection 



system from (Panati and Theseider Dupre 20011 where: 



• Pressurized fuel is stored in a container, the rail, in order to be injected at high 
pressure into the cylinders. We ignore in the model the output flow through 
the injectors. Fuel from the tank is input to the rail through a pump. 

• A regulating system, including, in the physical system, a pressure sensor, a 
pressure regulator and an Electronic Control Unit, controls pressure in the 
rail; in particular, the pressure regulator, commanded by the ECU based on 
the measured pressure, outputs fuel back to the tank. 

• The control system repeatedly executes the sensc-p (sense pressure) action 
while the physical system evolves through internal events. 

Examples of formulas from the model are contained in 11: 

□ ( [pumpjweak_fault]fJ,njLOw) 

shows the effect of the fault event pump_weak_f ault. Flows influence the derivative 
of the pressure in the rail, and the pressure derivative influences pressure via the 
event p_change: 

D{p_decr <— fjDut^ok, /mJow) 0(p_incr f jDutjiierydow, fjnjow) 

0(p_steady fjoutjow, fjnjow) 0([p_change]pJo'w ■<— pjjk,pjdecr) 
0{[pjzhange\pj3k •<— pJow,pjincr) 0([p_change]l. <— p^steady) 
0[[p_change]l. -s— pjdecr,pJow) 0{[pjihange\l. pj,ncr,pj3k) 

The model of the pressure regulating subsystem includes: 

0(\sensejp\pjDbsj3k <— pjjk) 0(f _out_ok normal jrnode,pjobsjDk) 

0{[sense_p\p_obsJo'w <— pjow) O(f_outjow <— compjmode, p^obs.ok) 

O[[switch_mode]compjnode) D[f_outjveryJow •<— comp_mode,p_obsjow) 

with the obvious mutual exclusion constraints among fluents. Initially, everything 
is normal and pressure is steady: p-ok, p_steady, fJri-ok, f -out.ok, normal jmode. 
All fluents are inertial. We have the following temporal constraints in C: 

□ ((p_ofe A p-decr) V {pJow A pjncr) D {p_change)T) 
0(normaljmode A p-obsjow D {s'witchjmode)T) 
[sense_p]((E — {sense_p})*)(sense_p)T 
0[pumpjweak_fault]^0{pumpjweak_fault)T 

The first one models conditions which imply a pressure change. The second one 
models the fact that a mode switch occurs when the system is operating in normal 
mode and the measured pressure is low. The third one models the fact that the 
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control system repeatedly executes sense-p, but other actions may occur in between. 
The fourth one imposes that at most one fault may occur in a run. 

Given this specification we can, for instance, check that if pressure is low in one 
state, it will be normal in the third next one, namely, that the temporal formula 
UipJow 3 OP-ok) is satisfied in all the possible scenarios admitted by the 
domain description. That is, the system tolerates a weak fault of the pump — the 
only fault included in this model. In general, we could, e.g., be interested in proving 
properties that hold if at most one fault occurs, or at most one fault in a set of 
"weak" faults occurs. 

As we have seen from the examples, our formalism allows naturally to deal with 
infinite executions of actions. Such infinite executions define the models over which 
temporal formulas can be evaluated. In order to deal with cases (e.g., in planning) 
where we want to reason on finite action sequences, it is easy to see that any finite 
action sequence can be represented as an infinite one, adding to the domain descrip- 
tion an action dummy, and the constraints {dummy)T and 0[dummy]{dummy)T 
stating that action dummy is eventually executed and, from that point on, only the 
action dummy is executed. In the following, we will restrict our attention to infinite 
executions, assuming that the dummy action is introduced when needed. 

4 Temporal answer sets and extensions for domain descriptions 

Given a domain description D = (11, C), the laws in 11 are rules of a general logic 
program extended with a restricted use of temporal modalities. In order to define 
the extensions of a domain description, we introduce a notion of temporal answer 
set, extending the usual notion of answer set (jGelfond 2007[) . The extensions of a 
domain description will then be defined as the temporal answer sets of 11 satisfying 
the integrity constraints C. 

In the following, for conciseness, we call "simple (temporal) literals" the "simple 
(temporal) fiuent literals" . We call rules the laws in 11, having one of the two forms: 

la -i^ h,. . . , Im, not Im+i, ■ . ■ ,notln (6) 

where the Z^'s arc simple literals, and 

□ (<o ^ ti, . . . ,t,n,not t„i+i, ■ ■ ■ ,not tn) (7) 

where the t^'s are simple or temporal literals, the first one capturing initial state 
laws, the second one all the other laws. To define the notion of extension, we also 
need to introduce rules of the form: [ai; . . . ;ah]{to <~ti,... ,t„i,not t,n+i, ■ ■ ■ ,not 
where the <i's are simple or temporal literals, which will be used to define the reduct 
of a program. The modality [oi ; . . . ; ah] means that the rule applies in the state 
obtained after the execution of actions oi, . . . , a/j. Conveniently, also the notion of 
temporal literal used so far needs to be extended to include literals of the form 
[oi; . . . ; ah]l, meaning that / holds after the action sequence oi, . . . , a/j. 

As we have seen, temporal models of DLTL are linear models, consisting of an 
action sequence a and a valuation function V, associating a propositional evaluation 
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with each state in the sequence (denoted by a prefix of a). We extend the notion of 
answer set to capture this linear structure of temporal models, by defining a partial 
temporal interpretation as a pair (cr, S) , where a G S"^ and 5* is a set of literals of 
the form [ai; . . . ; ak\l, where oi . . . is a prefix of a. 

Definition 1 

Let a £ . A partial temporal interpretation over cr is a pair (ct, S) where S" is a 
set of temporal literals of the form [oi; . . . ; afc]Z, such that ai . . . Ok is a prefix of cr, 
and it is not the case that both [ai; . . . ; ak]l and [oi; . . . ; ak\^l belong to S or that 
[oi; . . . ;afe]_L belongs to S (namely, S" is a consistent set of temporal literals). 

A temporal interpretation (cr, S) is said to be total if either [ai; . . . ; ak]p G S* or 
[oi; . . . ; OfeJ-ip G 5*, for each ai . . . Ok prefix of cr and for each fiuent name p. 

Observe that a partial interpretation (cr, 5*) provides, for each prefix ai . . . Ofe, a 
partial evaluation of fluents in the state corresponding to that prefix. The (partial) 
state w^ai^^ak obtained by the execution of the actions oi . . . in the sequence can 
be defined as follows: 

w^^-X^{l:[a,-...-,au]leS} 

Given a partial temporal interpretation (cr, S) and a prefix ai . . .Ok of cr, we define 
the satisfiability of a simple, temporal and extended literal t in (cr, S) at ai . . . 
(written (cr, S), ai . . . \= t) as follows: 

{a,S),ai . . .Ok h T 

{a,S),ai . . .Ok ^ -L 

(cr, S), ai . . . Ok I iff [ai; . . . ; ak]l € S, for a simple literal I 

(cr, S), ai . . .Ok \= [a]l iff [ai; . . . ; a^; a]Z £ S* or ai . . . a^, a is not a prefix of cr 

(cr, 5), ai . . . flfe ^ iff [o-ii • ■ • ; G 5', where oi . . . 0^6 is a prefix of cr 

{a,S),ai...ak\=^notl iff {a, S),ai . . . at \^ I 
The satisfiability of rule bodies in a partial interpretation is defined as usual: 

{cr,S),ai...ak^ti,...,tn iff (cr, S"), oi ... ^ for i = 1, n. 
A rule H -f- Body is satisfied in a partial temporal interpretation (cr, S) if, (cr, S),e \= 
Body implies (cr, 5'),e |= H, where e is the empty action sequence. 

A rule n[H <— Body) is satisfied in a partial temporal interpretation (cr, S*) if, 
for all action sequences ai . . .a^ (including the empty one), (cr, S'), ai . . . Ofe ^ Body 
implies (cr, 5), ai . . . aj; \= H. 

A rule [oi; . . . ;aft](iJ Body) is satisfied in a partial temporal interpretation 
(cr, S) if (cr, S"), oi . . . a/i |= Body implies (cr, S"), ai . . . a/i |= i?. 

We are now ready to define the notion of answer set for a set P of rules that does 
not contain default negation. Let P be a set of rules over an action alphabet S, not 
containing default negation, and let a £ S". 

Definition 2 

A partial temporal interpretation (cr, S) is a temporal answer set of P if S is min- 
imal (in the sense of set inclusion) among the S" such that (a, S') is a partial 
interpretation satisfying the rules in P. 

In order to define answer sets of a program P possibly containing negation, given a 
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partial temporal interpretation {a, S) over a G S", we define the reduct, P^'^'^\ of P 
relative to {a, S) extending Gelfond and Lifschitz' transform (jGelfond and Lifschitz 1988)) 
to compute a different reduct of P for each prefix oi, . . . , of cr. 

Definition 3 

The reduct, Pa^l^.lah, of P relative to (cr, S) and to the prefix ai, . . . , of a is the 
set of all the rules 

[fli; . . . ; a/i](H ti, . . .,t,n) 

such that 0[H <— ti, . . . ,tm, not tm+i, ■ ■ ■ , not t„) is in P and {a, S),ai, . . . ,ah ^ 
ti, for all i = m + 1, . . . , n. The reduct P^'^'^^ of P relative to (cr, S) is the union of 
all rcducts Pji^l^.^ah for all prefixes ai, . . . , a/; of a. 

In essence, given {a,S), a different reduct is defined for each finite prefix of cr, 
i.e., for each possible state corresponding to a prefix of cr. 

Definition 4 

A partial temporal interpretation (cr, S) is a temporal answer set of P if (cr, S) is a 
temporal answer set of the reduct p('''^\ 

The definition above is a natural generalization of the usual notion of answer set 
to programs with temporal rules. Observe that a has infinitely many prefixes, so 
that the reduct p('^"^) is infinite as well as its answer sets. This is in accordance 
with the fact that temporal models are infinite. 

In the following, we will devote our attention to those domain descriptions D = 
(n,C) such that 11 has total temporal answer sets. We will call such domain de- 
scriptions well-defined domain descriptions. As we will see below, total temporal 
answer sets can indeed be regarded as temporal models (according to the defini- 
tion of model in Section 2) . Although it is not possible to define general syntactic 
conditions which guarantee that the temporal answer sets of 11 are total, this can 
be done in some specific case. It is possible to prove the following: 

Proposition 1 

Let D = (n,C) be a domain description over E, such that all fluents are inertial. 
Let cr e S'^. Any answer set of 11 over cr is a total answer set over cr. 

This result is not surprising, since, as we have assumed in the previous section, the 
laws for completing the initial state are implicitly added to 11, so that the initial 
state is complete. Moreover, it can be shown that (under the conditions, stated in 
Proposition [H that all fluents are inertial) the execution of an action in a com- 
plete state produces (nondeterministically, due to the presence of nondeterministic 
actions) a new complete state, which can be only determined by the action laws, 
causal laws and persistency laws executed in that state. 

In the following, we define the notion of extension of a well-defined domain de- 
scription D ~ (n,C) over S in two steps: first, we find the temporal answer sets 
of 11; second, we filter out all the temporal answer sets which do not satisfy the 
temporal constraints in C. For the second step, we need to define when a temporal 
formula a is satisfied in a total temporal interpretation (cr, S). Observe that a total 
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answer set (ct, S) can be easily seen as a temporal model, as defined in Section 
[2] Given a total answer set (ct, S) we define the corresponding temporal model as 
Ms = (cr, Vs), where p € Vs{ai, . . . ,ah) if and only if [ai] . . . ] ah]p G S, for all 
atomic propositions p. We say that a total answer set S* over a satisfies a DLTL 
formula a if M5, e ^ a. 

Definition 5 

An extension of a well-defined domain domain description D = (11, C) over S is a 
(total) answer set (cr, 5") of IT which satisfies the constraints in C. 

Notice that, in general, a domain description may have more than one extension 
even for the same action sequence a: the different extensions of D with the same a 
account for the different possible initial states (when the initial state is incompletely 
specified) as well as for the different possible effects of nondeterministic actions. 

Example 4 

Assume the dummy action is added to the Russian Turkey domain in Section |3l 
Given the infinite sequence ai = -linsightl; wait; insight?; load; shoot; dummy; . . ., 
the domain description has (among the others) an extension [ai,Si) over ai con- 
taining the following temporal literals (for the sake of brevity, we write [ai; . . .; an]{liA 
. . . Alk) to mean that [ai; . . .; an]li holds in Si for all i's): 
[e]{alive A -^insight A -> frightened A -iloaded), 
[-linsightlj^alive A -linsight A -ifrightened A -iloaded), 
[^in_sight?; wait]{alive A insight A frightened A -iloaded), 
[-linsight?; wait; insightl]{alive A insight A frightened A -iloaded), 
[-linsightl; wait; insight?; load]{alive A insight A frightened A loaded), 
[-^insight?; wait; insight?; load; shoot]{-ialive A insight A frightened A loaded), 
[-^insight?; wait; insight?; load; shoot; dummy\{-ialive A insight A frightened A 
loaded) 

and so on. This extension satisfies the constraints in the domain description and 
corresponds to a linear temporal model Ms-^ = (fxi, V5). 

To conclude this section we would like to point out that, given a domain descrip- 
tion D = (n, C) over S such that 11 only admits total answer sets, a transition 
system {W, I, T) can be associated with 11, as follows: 

- is the set of all the possible consistent and complete states of the domain 
description; 

- / is the set of all the states in W satisfying the initial state laws in H; 

- T <ZW xY^xW \s the set of all triples {w, a, w') such that: w, w' G W, a G S 
and for some total answer set (a, S) of H: w = wl'^'^'' , and w' ~ wi"'^"^ , 

' ' [ai;...:ah\ [ai;...:ah;a\ 

Intuitively, T is the set of transitions between states. A transition labelled a from 
w to w' (represented by the triple {w,a,w')) is present in T if, there is a (total) 
answer set of H, in which w is a state and the execution of action a in w leads to 
the state w'. 
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5 Reasoning tasks 

Given a domain description D ~ (H, C) over S and a temporal goal a (a DLTL 
formula), we are interested in finding out the extensions of D = (n,C) satisfy- 
ing/falsifying a. While in the next section we will focus on the use of bounded 
model checking techniques for answering this question, in this one we show that 
many reasoning problems, including temporal projection, planning and diagnosis 
can be characterized in this way. 

Suppose that in Example [1] we want to know if there is a scenario in which the 
turkey is not alive after the action sequence -^in.sightl , wait; in_sightl, load, shoot. 
We can solve this temporal projection problem by finding out an extension of the 
domain description which satisfies the temporal formula 

(-lin^sightl; wait; in^sightl; load; shoot)-ialive 

The extension Si in Example |4] indeed satisfies the temporal formula above, since 
{-lin^sight? ; wait; in_sight7; load; shoot) -lalive is true in the linear model Ms^ = 
{(Ji,Vs) associated with the extension Si. 

It is well known that a planning problem can be formulated as a satisfiability 
problem ( [Giunchiglia and Traverso 1999[ ). In case of complete state and determin- 
istic actions, the problem of finding a plan which makes the turkey not alive and 
the gun loaded, can be stated as the problem of finding out an extension of the do- 
main description in which the formula <>{-ialive txloaded) is satisfied. The extension 
provides a plan for achieving the goal -lalive A loaded. 

With an incomplete initial state, or with nondeterministic actions, the problem 
of finding a conformant /universal plan which works for all the possible completions 
of the initial state and for all the possible outcomes of nondeterministic actions 
cannot be simply solved by checking the satisfiability of the formula above. The 
computed plan must also be tested to be a conformant plan. On the one hand, 
it must be verified that the computed plan tt always achieves the given Goal, i.e., 
there is no extension of the domain description satisfying the formula {'K)-'Goal. On 
the other hand, it must be verified that tt is executable in all initial states. This can 



be done, for instance, adopting techniques similar to those in ( [Giunchiglia 2000 1 . 
(jEiter et al. 2003]) addresses the problem of conformant planning in the DLV'*" sys- 
tem. (ITu et al. 201ip develops conformant planners based on a notion of approxi- 
mation of action theories in the action language AC (IBaral and Gelfond 2000[) . 

As concerns diagnosis, consider systems like the one in Example [S] A diag- 
nosis of a fault observation obsf is a run from the initial state to a state in 
which obsf holds and which does not contain fault observations in the previous 
states ( jPanati and Theseider Dupre 2000l ), i.e., an extension satisfying the formula: 
{-lobsi A ... A -lobsn) U obsf, where obsi, . . . , obsn are all the possible observations 
of fault. In Example 3, p.obsJtow is the only possible fault observation, hence a di- 
agnosis for it is an extension of the domain description which satisfies Op_obsJow. 

As concerns property verification, an example has been given in Example 2. 
We observe that the verification that a domain description D is well-defined can 
be done by adding to the domain description a static law U{unde fined- fluent ■(— 
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not fAnot ->/), for each fluent literal /, and by verifying that there are no extensions 
in which <>unde fined -fluent holds in the initial state. 

Other reasoning tasks which can be addressed by checking the satisfiability or 
validity of formulas in a temporal action theory are multiagent protocol verification 
([Giordano et al. 2007[) , and verification of the compliance of business processes to 
norms P'Aprile et al. 2010[ ). 



6 Model checking and bounded model checking 

LTL is widely used to prove properties of systems by means of model checking. The 
property to be verified can be represented as an LTL formula Lp, whereas a Kripke 
structure provides the model of the system to be verified (in the current case, the 
transition system associated with the domain description). A standard approach to 
verification is based on the construction of the Biichi automaton for the negated 
property and on the computation of the product of such automaton with the model 
of the system. The property is verified when the language accepted by the product 
automaton is empty, whereas any infinite word accepted by the product automaton 
provides a counterexample to the validity of tp. This approach is also feasible for 
DLTL, as it is possible to construct a Biichi automaton for a given DLTL formula 
( [Henriksen and Thiagarajan 1999[ ). In particular, as for LTL, the construction of 
the automaton can be done on-the-fly, while checking for the emptiness of the 
language accepted by the automaton ([Giordano and Martelli 2006j) . 

In (jBiere et al. 2003]) it has been shown that, in some cases, model checking can 
be more efficient if, instead of building the product automaton and checking for 
an accepting run on it, we build only an accepting run of the automaton (if there 
is one). This technique is called hounded model checking (BMC), since it looks for 
paths whose length is bounded by some integer k, by iteratively increasing the 
length k until a run satisfying -up is found (if one exists). The paths considered are 
infinite paths which can be finitely represented as paths of length k with a back 
loop from state k to a previous state in the path: it can be shown that, if a Biichi 
automaton has an accepting run, it has one which can be represented in this way. 

A BMC problem can be efficiently reduced to a propositional satisfiability prob- 
lem (jBiere et al. 2003^ or to an ASP problem dHeljanko and Niemela 2003[ ). BMC 
provides a partial decision procedure for checking validity: if no model exists, the 
iterative procedure will never stop. Techniques for achieving completeness are de- 
scribed in (jBiere et al. 2003"| . 

In the next section, we address the problem of defining a translation of a domain 
description into standard ASP, so that bounded model checking techniques can be 
used to check if a temporal goal (a DLTL formula) is satisfiable in some extension 
of the domain description. The approach we propose for the verification of DLTL 
formulas extends the one developed in ( jHeljanko and Niemela 2003| ) for bounded 
LTL model checking with Stable Models. 
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7 Translation to ASP 

In this section, we show how to translate a domain description to standard ASP. 

A temporal model consists of an infinite sequence of actions and a valuation 
function giving the value of fluents in the states of the model. States are represented 
in ASP as integers, starting with the initial state 0. We will use the predicates 
occurs{Action, State) and holds{Literal, State). Occurrence of exactly one action 
in each state must be encoded: 

-^occurs{A, S) <— occurs{Al, 5), action{A), action{Al), A ^ Al, state{S). 

occurs{A, S) <r- not -^occurs{A, S) , action{A) , state{S). 

Given a domain description (II, C), the rules in 11 can be translated as follows. 
Action laws □([a](-i)/o ti, . . . , tm, not t„i+i, ■ ■ ■ , not t„) are translated to 

{-i)holds{fQ, S') <r- state{S), S' = S + 1, occurs{a, S), hi . . . h„i,not hm+i ■ ■ ■ not hn 

where = {-^)holds{{fi, S') if ti ^ [a](-i)/i and = {-^)holds{fi, S) if t, = {^)fi- 
Dynamic causal laws □(0(~')/o ^ ti, . . . , tm, not tm+i, ■ ■ ■ , not tn) are translated 
to 

(-i)holds{fo, S') -h- state{S), S' = S + \,hi . . . hm, not hm+i ■ ■ ■ not hn 

where hi = {-^)holds{fi, S') if t, = 0(~')/i and K = {-n)holds{fi, S) if t, = {-^)fi. 

Static causal laws ([2]) arc translated in a similar way (replacing S' with S in the 
head), while initial state laws arc evaluated in state 0. 

Precondition laws □([«] ±^ li, . . . , Im, not Im+i, ■ ■ ■ , not In) are translated to ASP 
constraints 

<~ state{S), occurs{a, S), hi . . . not h^+i ■ ■ ■ not hn 

where hi = holds{li, S). 

As described in the previous section, we arc interested in infinite models repre- 
sented as k-loops, i.e., finite sequences of states from to fc with a back loop from 
state fc to a previous state. Thus, we assume a bound k on the number of states. 

The above rules compute a finite model from state to state k + 1. To detect the 
loop, we must find a state j, < j < k, equal to state fc + 1 This can be achieved 
by defining a predicate eqJast{S) to check if state 5* ie equal to state fc + 1, and a 
predicate next{Sl, S2) such that next{i,i + 1) for < i < fc — 1, and next{k, j). 

diffJtast{S) ^ state{S), S fc, fluent{F),holds{F, S),^holds{F, fc + 1). 

diffJast{S) : -state{S),S <= fc, fluent{F), holds{F, fc + 1), -^holds{F, S). 

eqJast{S) : -~state{S), S <— k,not diffJast{S). 

next{S, SN) i~ state{S), S < k,SN = S + 1. 

-^next{k, S) ^ next(k, SS), state(S), state{SS), S ^ SS. 

next(k, S) <— state{S), S <= fc, not -inext{k, S). 

<r- next(k, S), not eqJast{S). 
The second and third rule for next impose that is exactly one state next to state 
fc; the last constraint imposes that such a state is equal to state fc + 1. 

Given a domain description (IT, C), we denote by tr{n) the set of rules containing 
the translation of each law in 11 as well as the definitions of eq,diff and next, as 
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defined above. Observe that an answer set R of trill) such that, for each state 
i = l,...,fc, either holds{p,i) € R or -^holds{p,i) G R, represents a temporal 
model as a k-loop. The temporal model, Mr = {cjr, Vr) associated with R can be 
defined as follows: 

gr = aia2 ■ ■ ■ ajdj+i ■ ■ ■ Ok+iaj+i . . . at+i ■ ■ ■ 
where occur s{ai, 0), occur s{a2, 1), occurs{aj+i, j), occurs{ak+i, k), next{k, j) 
(i.e., flfc+i leads back to state j) belong to R, and, for all atomic propositions p G V: 

p G VR(e) if and only if holds{p, 0) G R 

P G VR{ai . . . ah) if and only if holds(j), ft.) £ i?, for < /i < fc 
p G Vf;,(ai . . . flfc+i) if and only if holds(ji,j) G R. 

We can show that there is a one to one correspondence between the temporal 
answer sets of 11 and the answer sets of the translation ir(n). Let (H, C) be a 
well-defined domain description over E. 

Theorem 1 

(1) Given a temporal answer set (cr, S) of 11 such that a can be finitely represented 
as a finite path with a k-loop, there is a consistent answer set R of trill) such 
that R and S correspond to the same temporal model. 

(2) Given a consistent answer set R of <r(n), there is a temporal answer set (cr, S) 
of n (that can be finitely represented as a finite path with a back loop) such 
that R and S correspond to the same temporal model. 

We refer to Appendix A for the proof. 

Let us now come to the problem of evaluating a DLTL formula over the models 
associated with the answer sets of tr{Yl). To deal with DLTL formulas, we use the 
predicate sat{alpha, S), to express satisfiability of a DLTL formula a in a state 
of a model. As in (jGiordano and Martelli 2006| we assume that until formulas 
are indexed with finite automata rather than regular expressions, by exploiting 
the equivalence between regular expressions and finite automata. Thus, we have 
aW-^^?)/? instead of where Ci^Ai^q)) = [[tt]]. More precisely, let A = {Q, S,Qf) 

be an e-free nondeterministic finite automaton over the alphabet E without an 
initial state, where Q is a finite set of states, (5 : Q x E ^> 2"^ is the transition 
function, and Qf is the set of final states. Given a state q G Q, we denote with 
A{q) an automaton A with initial state q. In the definition of predicate sat for until 



formulas, we refer to the following axioms (Henriksen and Thiagarajan 1999): 

aU^'^i^P = (/3 V (a A Vaes(") ^q-eSiq-a) aU^^'^'^P)) {q is a final state of A) 
aU^^'i^P = (a A Vaes(a) V^'e^lg.a) aU^'^'^'^jS) {q is not a final state of A) 

In the translation to ASP, DLTL formulas will be represented with terms. In par- 
ticular, the formula aU'^^'^^ 13 will be represented as until{A, q, alpha, beta). Further- 
more, we assume the automaton A to be described with the predicates transi^A, Ql, 
Act, Q2) defining the transitions, and final{A, Q) defining the final states. The def- 
inition of sat is the following: 

fluent: sat{F, S) ^ fluent{F),holds{F, S). 

or: sat{or{Alpha, Beta),S) <— sat{Alpha, S). 

sat{or{Alpha, Beta), S) ^ satiBeta, S). 
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neg: sat(neg{Alpha), S) <r- not sat{Alpha, S). 

until: sat{until{Aut, Q, Alpha, Beta), S) <— final{Aut, Q), sat{Beta, S). 

sat (until {Aut, Q, Alpha, Beta), S) 4— 

sat{Alpha, S), trans{Aut, Q, Act, Q\), occurs{Act, S), 
next{S, S\), sat (until (Aut, Ql, Alpha, Beta), SI). 

Similar definitions can be given for derived connectives and modalities. For instance, 
the temporal formulas Oa, {a)a and [a\a are represented, respectively, by the terms 
eventually(tjCLlpha), diamond(a,t_alpha) and box{a,t_alpha), where t-alpha is the 
term encoding the formula a. The definition of sat for such formulas is the following: 

eventually: sat(eventually (Alpha), S) <— sat(Alpha, S). 

eventually: sat(eventually (Alpha) , S) next(S, SI), sat(eventually (Alpha) , SI). 

(a): sat(diamond(A, Alpha), S) <r- occurs(A, S),next(S, SI), sat(Alpha, SI), 

[a]: sat(box(A, Alpha), S) •<— action(A), occurs(B, S), A\ = B. 

[a]: sat(box(A, Alpha), S) <— occurs(A, S), next(S, SI), sat(Alpha, SI). 

Since states are complete, we can identify default negation with classical negation, 
thus having a two valued interpretation of DLTL formulas. We must also add a 
constraint <— not sat(t_alpha,0), for each temporal constraint a in the domain 
description, where states are represented by numbers, is the initial state and 
t -alpha is the term encoding the formula a. The presence of the constraint ■(— 
not sat(t_alpha, 0), in the translation of the domain description guarantees that a 
must be satisfied, as the negated formula not sat(t_alpha, 0) is not allowed to be 
true in the answer set. 

As an example, the encoding of the temporal constraint 

0[begin\{sense(a); sense(b); (deliver(a) + deliver (b) + wait);begin)T 

in Example [21 is given by the following rules: 

not sat(neg(ev(neg(box(begin, until(aut, ql, true, true))))), 0). 
trans(aut, ql, sense(a), q2). 
trans(aut, q2, sense(b),q3). 
trans(aut, q3, deliver(a), qA). 
trans(aut, q2>, deliver(b), q4). 
trans(aut, qS, wait, q4). 
trans(aut, qA, begin, q5). 
final(aut, q5). 

The first rule encodes the constraint, while the following ones encode the definition 
of the automaton aut, which is equivalent to the regular expression indexing the 
until formula in the constraint. 

It is easy to see that the computation of the satisfiability of a formula a in a 
given state depends only on a finite set of formulas consisting of the subformulas 
of a and the formulas derived from an until subformula. We say that a formula 
^lyl^ii ) /3 is derived from a formula 7^'^'-^^ /3 if q' is reachable from q in A. 

It is possible to see that the definition of the predicate sat, as given above for 
the base cases (fluent, or, neg, until), provides a correct evaluation of the temporal 
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formulas over the temporal models associated with the translation trill) of H. Let 
tr'ijl) be the set of rules extending the rules in trili) with the definition of predicate 
sat above. Let (H, C) be a well-defined domain description over E. We can prove 
the following theorem (the proof can be found in Appendix A); 

Theorem 2 

Let n be the set of laws of a well-defined domain description, R an answer set of 
trill) and a a DLTL formula. The temporal model Mn = {a, V) associated with 
R satisfies a if and only if there is an answer set R' of tr'{U) such that R C R' 
and sat{t-alpha, 0) G R' (where t_alpha is the term representing the formula a and 
trans and final encode the automata indexing the until formulas in a). 

The above formulation of sat is indeed the direct translation of the semantics 
of DLTL, which is given for infinite models. Intuitively, we can show that it works 
also when the model is represented as a k-loop, by considering the case of until 
formulas. If is a state belonging to the loop, the goal sat{aU'^'^'^^ P ^ S) can depend 
cyclically on itself. This happens if the only rule which can be applied to prove the 
satisfiability of ( or one of its derived formulas in each state of the loop) 

is the second rule of until. In this case, sat[aU^'^'^'^ (3 ^ S) will be undefined, which 
amounts to say that aU'^'^'^^ j3 is not true. This is correct, since, if this happens, a 
must be true in each state of the loop, and /3 must be false in all states of the loop 
corresponding to final states of A. Thus, by unfolding the cyclic sequence into an 
infinite sequence, aU^^'^^ (3 will never be satisfied. 

Given a domain description D = (11, C), the translation tr{D) of D contains: the 
translation trill) of 11, the definition of the predicates sat, trans and final, and, 
for each temporal formula a in C, the constraint ^ not satit_alpha,0). 

Let (n, C) be a well-defined domain description over E. Given Theorems [1] and [2] 
above, it can be proved that: 

Corollary 1 

There is a one to one correspondence between the extensions of the domain descrip- 
tion D and the answer sets of its translation tr{D) in ASP. 

More precisely, each extension of D is in a one to one correspondence with an answer 
set of tr{D), and both of them are associated with the same temporal model. 

Given a temporal formula a, we may want to check if there is an extension of the 
domain description D satisfying it. To this purpose, as for the temporal formulas 
in C, we add to the translation tr{D) of D the constraint <— not sat{t-alpha,0), so 
that the answer sets falsifying a are excluded. 

According to the bounded model checking technique, the search for an extension 
of the domain description satisfying a is done by iteratively increasing the length 
k of the sequence searched for, until a cyclic model is found (if one exists). On 
the other hand, validity of a formula a can be proved, as usual in model checking, 
by verifying that D extended with is not satisfiable. Let us consider, from 
Example[2l the property Dirnail{b) D C'-imailib)) (if there is mail for b, the agent 
will eventually deliver it to h). This formula is valid if its negation 0^{mail{b) D 
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0^mail{h)) is not satisfiable. We verify the satisfiability of this formula, by adding 
to the translation of the domain description the constraint 
not sat{ev{neg{impl{mail(b), ev{neg{mail(b)))))),0). 
and looking for an extension. The resulting set of rules indeed has extensions, which 
can be found for fc > 3 and provide counterexamples to the validity of the prop- 
erty above. For instance, the extension in which next{0,l),next{l,2),next{2,3), 
next{3,0), occurs(begin, 0), occurs{sensejmail{a), 1), occur s{sensejmail{b), 2), 
occurs{deliver_mail{a),3), where mail{b) holds in all states, and mail(a) only in 
states 2 and 3, can be obtained for = 3. 

In Appendix B wc provide the encoding of BMC and of Example [H in the DLV- 
Complex extension (https:/ /www. mat. unical.it/dlv-complex) of DLV (jLeone et al. 2006|) . 
In Appendix C we report tests of our approach for bounded model checking of DLTL 
formulas in the line of the LTL BMC experiments in ( [Heljanko and Niemela 2003[ ) . 
Results are provided for a DLV encoding of BMC and of action domain descriptions 
for the dining philosophers problems considered in that paper. The scalability of 
the two approaches is similar. 



8 Conclusions and related v^rork 

In this paper we have described an action language which is based on a tempo- 
ral extension of ASP, in which temporal modalities are included within rules. In 
the action language, general temporal DLTL formulas (possibly including regular 
programs indexing temporal modalities) arc allowed in the domain description to 
constrain the space of possible extensions. The approach naturally deals with non- 
terminating computations and relies on bounded model checking techniques for the 
verification of temporal formulas. In (jGiordano et al. 200ip a temporal action the- 
ory has been developed, which is based on the linear temporal logic DLTL and 
adopts a monotonic solution to the frame problem based on completion. Due to the 
different treatment of the frame problem, even in the case when default negation is 
not present in the body of the laws in 11, the notion of extension defined here is not 
equivalent to the one in (jGiordano et al. 200ip . which requires action and causal 
laws to be stratified to avoid unexpected extensions due to cyclic dependencies. 

Bounded model checking (BMC) (jBiere et al. 2003]) is based on the idea to search 
for a counterexample of the property to be checked in executions which arc bounded 
by some integer k. SAT- based BMC methods do not suffer from the state explo- 
sion problem as the methods based on BDDs. ( [Heljanko and Niemela 2003 ) exploit 



BMC in the verification of asynchronous systems modeled by 1-safe Petri nets. They 
provide a translation of a Petri net to a logic program which captures the execution 
of the net up to n steps and they develop a compact encoding of BMC of LTL for- 
mulas as the problem of finding stable models of logic programs. As a difference, the 
work in this paper aims at verifying properties of a temporal action theory including 
DLTL temporal constraints. Hence, we provide a translation of the action theory 
into ASP and we extend the encoding of BMC in ( [Heljanko and Niemela 2003D to 
deal with DLTL formulas. 

Our encoding of BMC of LTL formulas in ASP docs not make use of the Biichi 
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automaton construction to build the path satisfying a formula. As future work, we 
aim at exploring an alternative approach which exploits the Biichi automaton of 
the formula to achieve completeness of BMC. 

Stemming from the seminal paper of Gelfond and Lifschitz on the action lan- 
guage A (jGelfond and Lifschitz 1993| . a lot of work has been devoted to define 
logic-based action languages. In particular, ASP has been shown to be well suited 
for reasoning about dynamic domains ([Gelfond 2007^ . (jBaral and Gelfond 2000p 
provide an encoding in ASP of the action specification language AC, which extends 
the action description language A by allowing static and dynamic causal laws, exe- 
cutability conditions and concurrent actions. The proposed approach has been used 
for planning (jTu et al. 2011[) and diagnosis (jBalduccini and Gelfond 2003^ . 

The action language defined in this paper can be regarded as a temporal ex- 
tension of the language A (jGelfond and Lifschitz 1993]) which allows for general 
temporal constraints, complex actions and infinite computations, but does not deal 
with concurrent actions nor with incomplete knowledge. As regards laws in 11, our 
temporal action language has strong relations with the action languages /C and C. 

The logic-based planning language, JC ()Eiter et al. 2003|IEiter et al. 2004| is well 
suited for planning under incomplete knowledge and allows for concurrent actions. 
The main construct of K, are causation rules of the form: caused f if B after 
A, meaning "If B is known to be true in the current state and A is known to be 
true in the previous state, then f is known to be true in the current state" . Default 
negation can be used in the body of the rules and A may contain action atoms. The 
semantics of planning domains is defined in terms of states and transitions. 

The temporal action language introduced in Section 3 for defining the component 
n of the domain description can be regarded, apart from minor differences, as a 
fragment of K, in which concurrent actions are not allowed. In particular, action 
laws ^ and dynamic causal laws ([31): 

□ ([a]Zo ^ {not)h,. . . , {not)l,n, (not)[a]lm+i, ■ ■ ■ , {not)[a]lk) 
D(0'o (not)li, ... , {not)l,n, (not) Q l^+i, (not) Q Ik) 

can be mapped to the causation rules: 

caused Iq if {not)l,n+i . . . , {not)lk after a, {not)li, . . . , (not) Im 
caused lo if {not)lm+i • ■ • , {not)lk. after {not)li, . . . , (not) Im 

with the proviso, for dynamic causal laws, that m > 1. In case the literals {not)li, . . . , 
{not)lm are not present (and the after part of the causation rule is empty), our 
dynamic causal law does not produce any effect on the initial state (which is not 
the next state of any other state) while the causation rule does. For this reason, our 
static causal laws can then be mapped to causation rules with empty after part. 
A similar translation can be given to precondition laws, which are special kinds of 
action laws and to initial state laws, which can be mapped to initial state causation 
rules in /C. All actions are regarded as being always executable, i.e., executable 
a, holds for all actions a. The correctness of this mapping emerges form the ASP 
encoding of our temporal language, which is similar, apart from minor differences, 
to the translation of IC to answer set programming (jEiter et al. 2003]) . 

The system DLV^ provides an implementation of K, on top of the disjunctive 
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logic programming system DLV. DLV'^ does not only solve optimistic planning 
problems, but also secure planning problems under incomplete initial states {con- 
formant planning). DLV'^ does not appear to support other kinds of reasoning 
besides planning, and, in particular, does not allow to express or verify temporal 
properties nor to reason about infinite computations. 



The languages C and C"*" (Giunchiglia and Lifschitz 1998 Giunchiglia et al. 2004 ) 



also deal with actions with indirect and nondeterministic effects and with concur- 
rent actions, and are based on nonmonotonic causation rules syntactically similar to 
those of IC, where head and body of causation rules can be boolean combinations of 
atoms. Their semantics is based on a nonmonotonic causal logic ( [Giunchiglia et al. 2004[ ). 
Causation rules can be represented in this logic by indexing fluents and actions with 
an integer « (j = 0, . . . n), in such a way that models of the causal theory correspond 
to histories of length n. The semantics of causal logic requires states to be complete. 
Due to the differences between the underlying semantics, a mapping between our 
action language and the languages C and appears not to be straightforward. 

If a C+ causal theory is definite (the head of a rule is an atom), it is possible 
to reason about it by turning the theory into a set of propositional formulas by 
means of a completion process, and then invoke a satisfiability solver. In this way 
it is possible to perform various kinds of reasoning such as prediction, postdic- 
tion or planning. However, the language does not exploits standard temporal logic 
constructs to reason about actions. 

In the context of planning, temporally extended goals allow the specification of 
properties that have to be achieved in the states along the execution of the plan. The 
need for state trajectory constraints has been advocated, for instance, in PDDL3 
( [Gerevini and Long 2005[ ), the domain description language used in the 2006 Inter- 
national Planning Competition. (IBacchus and Kabanza 2000P exploits a first order 
linear temporal logic for defining domain dependent search control knowledge in 
the planner TLPlan. (jPistore and Traverso 200T|) define a planning algorithm that 
generates plans for extended goals in a nondeterministic domain, where extended 
goals are CTL formulas. ([Son et al. 2006P shows that temporal control knowledge 
can be incorporated in a planner written in ASP. It provides a translation of a 
planning problem whose domain is defined in the action language B into ASP 
as well as a translation of the temporal constraints on the domain. The work on 
temporally extended goals in (Dal Lago et al. 2002 IBaral and Zhao 2007^ is con- 



cerned with expressing preferences among goals and exceptions in goal specifica- 
tion. (jSon and Pontelli 2006| IBienvenu et al. 2006^ introduce languages including 
temporal operators for expressing preferences on solutions of planning problems. 
(jSon and Pontelli 2006p . in particular, builds on answer set planning, i.e., comput- 
ing plans in ASP; the computation of preferred plans is also mapped to ASP, relying 
on an optimization predicate. As a difference with the proposals above, in this pa- 
per we do not specifically focus on planning. Our language is intended to address 
several different reasoning tasks (including property verification) on rich domain 
descriptions, allowing for ramifications, nondeterministic and complex actions, in- 
complete initial states, and, in particular, it can be used for reasoning about infinite 
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computations. However, in this paper, we do not address the problem of expressing 
preferences among goals. 

As our language includes program expressions in the temporal formulas, it is 
related to the Golog language ( |Levesque et al. 1997[ ), in which complex actions 
(plans) can be formalized as Algol-like programs. £SQ ( [Clafien and Lakemeyer 2008[ ) 
is a second order extension of CTL* for reasoning about nonterminating Golog 
programs. In ESQ programs include, besides regular expressions, nondeterministic 
choice of arguments and concurrent composition. The paper presents a method for 
verification of a first order CTL fragment of ESQ ^ using model checking and re- 
gression based reasoning. Because of first order quantification, this fragment is in 



general undecidable. DLTL (Henriksen and Thiagarajan 1999) can be regarded as 



a decidable LTL fragment of ESQ. Satisfiability in DLTL is known to be PSPACE- 
complete ( Henriksen and Thiagarajan 1999| , as for LTL. 



Observe that, although our temporal answer sets arc, in general, infinite, we 
do not need to exploit specific techniques for reasoning about infinite answer sets 
(jBonatti 2004p . due to the property that an infinite path can be finitely represented 
as a k-loop. 
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Appendix A 

We prove Theorem 1 and Theorem 2. Let (n,C) be a weh-defiiied domain de- 
scription over S. We show that there is a one to one correspondence between the 
temporal answer sets of 11 and the answer sets of the translation tr{lV). 

Theorem [I] 

(1) Given a temporal answer set (a, S) of 11 such that a can be finitely represented 
as a finite path with a k-loop, there is a consistent answer set R of tr (11) such 
that R and S correspond to the same temporal model. 

(2) Given a consistent answer set R of tr(n), there is a temporal answer set {a, S) 
of n (that can be finitely represented as a finite path with a back loop) such 
that R and S correspond to the same temporal model. 

Proof 

Let us prove item (1). Let {a, S) be a temporal answer set of 11 such that a can be 
finitely represented as a finite path with a back loop, i.e., 

a = aia2 ■ ■ ■ fljaj+i . . • Ok+iaj+i . . . Ok+i ■ ■ ■ 

We construct an answer set R of tr(n) as follows. R contains the following literals: 
state (0), . . . , state{k) 

next{0, 1), next{l, 2), . . . , next{k — 1, fc), next{k, j), -^next{k, s), for all s ^ j 
occur s{ai, 0), occur s{a2, 1), occurs{aj+i, j), occur s{ak+i, k) 
-loccursia, s), for all other ground instances of predicate occurs, 
eqJast{j) 

for alH = 0, . . . , fc, for all fluent names f <E V: 

{-^)holds{f, i) G i? if and only if [ai; . . . ; ai](-i)/ £ S 

From the consistency of S, it is easy to see that i? is a consistent set of literals. To 
show that R is an answer set of tr(n), we show that: (i) R is closed under tr(n)^; 
(ii) R is minimal (in the sense of set inclusion) among the consistent sets of literals 
closed under tr(n)^. 

(i) For all the rules r in tr (11)^, we have to prove that if the literals in the body 
of r belong to R, then the head of r belongs to R. Let us consider the case when 
the rule r in tr (11)^ is obtained by translating an action law in 11, of the form: 

•^([aK^)/ ^1, ■ • . ,tm,not t„i+i, ...,not t„) 

(the other cases are similar). In this case, tr(n) contains the translation of the 
action law above: 

{-^)holds{f , S') <r- state{S), S' = S + 1, occurs{a, S),hi . . . not /i„i+i . . . not hn 

where hi = {-^)holds{fi, S') if t, = [a]{-^)fi or hi = {-^)holds{fi, S) if t,; = {-^)fi. 

Let us consider the ground instantiation of the rule above from which r is ob- 
tained. Suppose S is instantiated with some s £ {1, . . . , fc}. It must be the case that 
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a = Og+i, as occurs[as+i^ s) G R and no other action occurs in state s according to 
R. 

If the rule r: 

{-i)holds{f, s + 1) ^ state{s), occur s{as+i, s), h[ . . . (8) 

belongs to the reduct tr{lV)^ (where each h'^ is the ground instantiation of ht with 
S = s), then ^ i?, . . . , h',^ <^ R. 

We have to show that, if the body of (|8]) belongs to R then its head also belongs 
to R. 

Assume h[, . . . , belong to R. For each i = 1 . . . ,m, either h'^ = {-^)holds{fi, s) 
(if = (-)/z) or h[ = Hholds{f„s + l) (if = [a]Hf^)■ If M = Hholdsif,, s), 
by construction of R, [ai; a^] (-■)/; G S, i.e., (cr, 5), oi, . . . , ^ {~')fi, and 
hence, (cr, 5), ai, . . . , ^ t^. If /i'^ = {-')holds{fi, s + 1), by construction of R, 
[ai; . . .;as;as+i]{^)ft £ 5, i.e., (cr, 5), ai, . . . , a^, a^+i ^ (-')/i, hence, [ai;...;as; 
as+i](-')/i G 5, and then (cr, 5"), oi, [as+i](-i)/i. Thus, (cr, S"), ai, . . . , \= 
ti. So the positive literals in the temporal action law are satisfied. 

To show that the negated literals tm+i, ■ ■ ■ ,tn in the body of the temporal 
clause are not satisfied in (cr, 5*) at ai,...,as, consider the fact that /im+i ^ 
i?, h'^ ^ R. Again, for each i ~ m + 1, . . . , k, either h'^ = {^)holds{fi, s)) 

or /i'; = {-')holds{fi,s + 1). 

If /i- {-^)holds{fi,s) ^ R, by construction of R, [oi; . . . ; as](-i)/i ^ S, i.e., 
(a, 5), ai, . . . , ^ {-^)ft, and hence, (cr, 5), oi, . . . , t^. If /i- = {-^)holds{fi, s + 
1) ^ i?, by construction of R, [ai; . . . ; a^; as+i]{->)fi ^ S, hence, (cr, S),ai, . . . , Cs ^ 
[as+i](-i)/i. Thus, {a,S),ai,...,as ^U. 

Wc have shown that the body of the temporal rule 

□ ([a](-.)/ ^ ii, . . . , tm, riot tni+i, ...,not i„) 

is true in (cr, 5") at ai, . . . , a^, i.e., 

(cr, S'),ai, . . . , \=ti,... ,tjn,not t^+i, . . . , not t„ 

As the temporal rule belongs to 11 and is satisfied in (cr, S), we can conclude that 
its head is also satisfied in ai,...,as, i.e., (cr, S*), ai, . . . , ^ [a](^)/, namely, 
[oi; . . . ; Cs; a](-i)/ G 5. As we observed above, a = a^+i, hence, [ai; . . . ; a^; as+i](-i)/ G 
S and, by construction of R, {^)holds{f, s + 1) G -R. 

To prove (ii), we have to show that R is minimal (in the sense of set inclusion) 
among the consistent sets of literals closed under tr{ir)^. Suppose R is not minimal, 
and there is a consistent set of literals R' which is closed under tr (11)^ and such 
that R' C R. 

Suppose there is a literal A G R such that A ^ R' . For the auxiliary predicates 
occurs, next, etc., it is easy to see that this cannot be the case. Let us consider the 
case A = {^)holds{f, i) and suppose that {-^)holds{f, i) £ R and {-^)holds{f, i) ^ 
R'. 

We show that we can construct from R' an S" C 5 such that (cr, 5') satisfies the 
rules in II^'^''^). We define S' as follows: 

[ai; . . . ; ah]{~')f G S' if and only if {^)holds{f, h) G R' 
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It can be shown that {a, S') satisfies the rules in II^'^''^^. In fact, for each rule r in 
ll(.'^,S) -^^jjQgg body is satisfied in {a,S'), there is a rule r' in tr(n)^, whose body 
is true in R' . As R' is closed under ir(n)^, the head of r' must be true in R'. By 
construction of 5", the head of r is satisfied in (a, S'). 

As S' C S and (cr, 5') satisfies the rules in 11^°'''^), S is not minimal among the 
interpretations S" such that {a, S") satisfies the rules in II'^'^''^). This contradicts 
the hypothesis that (a, S) is a temporal answer set of 11. 

As the domain description is well-defined, (cr, S) has to be a total temporal answer 
set. Hence, for each state i = 1, . . . either holds{p,i) G i? or -^holds{p,i) G R. 
It is easy to see that R and (cr, S) correspond to the same temporal model, as Ms 
and Mr are defined over the same sequence tr and, for each finite prefix r of cr, 
they give the same evaluation to atomic propositions in r. 

Let us prove item (2). 

Let R be an answer set of trill). Wc define a temporal answer set (cr, S) of 11 as 
follows. 

Given the definition of the predicates next and occurs in ir(n), R must contain, 
for some k and j, and for some ai, . . . , au+i, the literals: 

next{Q, 1), nextil, 2), . . . , next(k — 1, k),next{k, j), 

occurs{a\, Q),occurs{a2, 1), occur s(a j j), occurs(ak+i, k), 

eqJast{j). 
We define cr as: 

cr = aia2 . . . ajftj+i ■ • ■ ak+iaj+i . . . Uk+i ■ ■ ■ 

We determine the temporal literals that belong to S as follows: for alH = 0, . . . , fc 
for all fiucnt names / G 7^: 

[ai; . . . ; ai](^)/ G S* if and only if {-)holds{f ,i) G R 

From the consistency of R, it is easy to see that S" is a consistent set of temporal 
literals. To show that 5 is a temporal answer set of 11. we show that: 

(i) (cr, S) satisfies ah the rules in n^""--^); 

(ii) S is minimal (in the sense of set inclusion) among the S' such that (cr, S') is a 
partial interpretation satisfying the rules in H^'^^'^-'. 

(i) Let us prove that (cr, S) satisfies all the rules in n^"^'"^^. Let 

[ai, ■ • ■ ,as\{H ti, . . .,tm) 

be a rule in 11*^ where ai, . . . G prf{a). Then there must be a law in 11 of the 
form: 

U{H ^ ii, . . .,tm,not t„i+i, ...,not t„) 

such that (cr, 5), ai ... as ^ ti, for i = m + 1, . . . ,n. 

Let us consider the case where such a law is a dynamic causal law, (the other 
cases are similar). In this case, H = 0(~')/ ^-^id the law has the form: 

'^(0(~')/ ■,tm,not tm+l, ..■,not tn) 
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where, for alH = 1, . . . , n, = {-^)fi or U = 0(~')/i- 
Then, tr{I\) contains its translation: 

{-')holds{f, S') state{S), S' ~ S + l,hi . . . hm, not /i,„+i . . . not /i„ 

where h, = Hholds{f„ S') (if = 0(-)/*) or = Hholds{f„ S) (if = (^/,). 
Let us consider the ground instantiation of the rule above with S = s, for some 

{-')holds{f, s + 1) -h- state{s), h'l . . . /i^, not h'^^+i ■ ■ ■ "^^^ ^'n 
where h'^ = Hholdsif„s + 1) (if t, = 0(-)/*) or h', = {^)holds{U, s) (if t, = 

The rule 

(-i)holds{f, s + 1) ^ state{s), h'^. . . h'^ (9) 

must belong to the reduct tr(U)^. In fact, we can prove that h'„^_^^l ^ i?, . . . , /i^ 
R. Let = (-')/i and /i^ = {-^)holds{fi, s). From the hypothesis, we know that 
{a,S),ai...as ^ i.e., (tJ, S*), ai . . . a,, (-')/i, i.e., [ai; . . . ; as](-')/i ^ 5. As, 
by construction of {a, S), {-^)holds{fi, s) £ i? iff [ai; . . . ; as]{-^)fi 6 S*, we conclude 
{-^)holds{fi,s) ^ R. Let ti = 0(~')/i and /i- = {-^)holds{ft, s + 1). From the 
hypothesis, we know that (ct, S),ai . . .Os ^ ti, i.e., (cr, S),ai . . . Os y= 0(~')/ii i-^-i 
[oi; . . . ; fls; as+i](-i)/i ^ S*. As, by construction of (cr, S*), {-^)holds{fi, s + 1) G i? iff 
[oi; . . . ; as+i](-i)/i g 5, we conclude {-^)holds{fi, s + 1) ^ R, that is /i'^ ^ i?. 
To show that the law 

[Ol, . . . ,as](i? tl, . . . jirn) 

in n^*^'^) is satisfied in (cr, S), let us assume that its body is satisfied in (a, 5), that 
is, (cr, S*), ai ... Cs ^ ti, . . . ,tm, i.e., (cr, S'), ai . . . Cs ^ t^, for alH = 1, . . . , m. By the 
same pattern of reasoning as above, we can show that h[ G R, for alH = 1, . . . , m. 
As rule ([9|) is in tr(n)^, its body is true in R, and R is closed under tr{ir)^, then 
the head of ([9]), {-^)holds{f, s + 1), belongs to i?. Hence, by construction of (cr, 5), 
[oi; . . . ; as] O ("■)/ £ that is (cr, S*), ai . . . |= i?, namely, the head of the rule 

[ai, . . .,as]{H ^ti,.. .,tm) 

is satisfied in (cr, S*). 

(ii) 5* is minimal (in the sense of set inclusion) among the S" such that (cr, S') is 
a partial interpretation satisfying the rules in 

Assume by contradiction that S is not minimal. Then, there is a partial inter- 
pretation (cr, S"), with 5" C S, satisfying the rules in n''^^'^'. 

We show that we can construct an R' C R such that R' is closed under tr{lV)^. 
We define R' as R, but for the predicate holds, for which we have: 

{^)holds{f, h) E R' if and only if [ai; . . . ; ah]{^)f E S' 

It can be shown that R' is closed under tr(n)^ . In fact, for each rule r in tr(n)^ 
whose body is true in R', there is a rule r' in II'^'^''^', whose body is satisfied in 
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{a, S'). As {a, S') satisfies all the rules in II'^'^''^^ the head of r' must be satisfied in 
(ct, S'). By construction of R', the head of r belongs to R'. 

As R' C R and R' is closed under tr(n)^, R is not minimal among the consistent 
sets of literals closed under tr(n)^. This contradicts the hypothesis that R is an 
answer set of ir(n). 

To prove that R and (ct, S) correspond to the same temporal model we can use 
the same argument as for item (1). □ 

Theorem [D 

Let n be the set of laws of a well-defined domain description, R an answer set 
of tr{U) and a a DLTL formula. The temporal model = (cr, V) associated with 
R satisfies a if and only if there is an answer set R' of ir'(n) such that R C R' 
and sat{t_alpha, 0) £ R' (where t_alpha is the term representing the formula a and 
trans and final encode the automata indexing the until formulas in a). 
Proof 

We first prove the " only if direction of the theorem. We know by Theorem 1 that 
each answer set R of tr(n) corresponds to a temporal answer set of 11 and, for each 
state i = l,...,fc, either holds{p,i) € R or -'holds{p,i) G R. Let us consider the 
temporal model Mr = {ctr, Vr) associated with R, as defined in section 7. 
We extend R to define an answer set R' of tr'(n) as follows: 

• all the literals in R belong to R'; 

• for all subformulas /3 of a, for all states h G {0, . . . , k}: 

sat{tJ>eta, h) e R' if and only if M , Th \= /3 (10) 

where Th = ai . . . a^ and tJjeta is the term encoding the formula /?. 

• For each automaton aut = {Q, 5, Qf) indexing an until formula in a: 

final{aut, q) G R' if and only \i q E Q f (11) 

trans{aut, qi, a, 52) G ^i^' if and only if q2 G 6(qi, a) (12) 

We can show that R' is an answer set of tr'(n), i.e., (i) R' is closed under tr'(n)^ 
(ii)i?' is minimal among the consistent sets of literals closed under tr'{H)^ . 

(i) holds trivially for all the rules in tr(n). It has to be proved for all the rules 
defining the predicate sat. We can proccde by cases: 

Let us consider the rule for fluents. Suppose R' satisfies the body of a ground 
instance of the rule: 

sat{F,S) : -fluent{F),holds{F,S). 
that is, fluentijp) G R' and holds{p,h) G R', for some fluent name p and some 
h G {1, . . . , k}. Then, holds{p, h) G i?, and thus Mr, Th \= p. By construction of R' , 
it must be: sat{p, h) G R' . 

Let us consider the flrst rule for until. Suppose R' satisfles the body of a ground 
instance of the rule: 

sat (until {Aut, Q, Alpha, Beta), S) : — final{Aut, Q), sat{Beta, S). 
that is, for some aut encoding a finite automaton A = {Q,5,Qf), for some q G 
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Q, for some formula t-beta and state h, final{aut,q) € R' (i.e., q G Qf) and 
sat{tJ>eta, h) € R' . By construction of R', Mii,Th \= f3. As q is a, final state of the 
finite automaton A, it must be that Mfi,Th |= aZ-/"^'-'^^/3. Hence, by construction, 

sat(until(aut,q,tjalpha,tJbeta),h) £ R' . 
The other cases are similar. 

(ii) We prove that R' is minimal among the consistent sets of literals closed under 
tr'(n)'^ . Let us suppose that R' is not minimal and that there is an R" C R' such 
that R" is closed with respect to ir'(n)^ . There must be a literal I £ R' — R" . I 
cannot be a literal in i?, as R is an answer set of tr(n), and the definition of the 
predicates in R does not depend on the predicates sat, trans and final introduced 
in tr'ili). Also, I cannot be a trans and final literal, as these predicates are only 
defined by ground atomic formulas, which must be all in R" . Suppose there is 
sat{t-alpha, h) G R' such that sat{t-alpha, h) R". 

Using the fact that R" is closed with respect to tr'{U)^ , it can be proved that, 
for all the subformulas /? of a, if M^, Th \= (5 then sat{tJ)eta, h) G R" . The proof is 
by induction on the structure of (3. 

As satitMlpha, h) g i?', by construction of R' it must be that A/^, \= a. 
Then, by the previous property, sat[t_alpha, h) G R" . This contradicts the fact 
that sat{t_alpha, h) ^ R" . Hence, R' is an answer set of ir(H). 

To conclude the proof of the "only if" part, it is easy to see that, from ((T^ . if 
Mji^e ^ a then sat{t_alpha,0) G R', where e represents the empty sequence of 
actions. 

We have shown that, given an answer set R of tr(H) satisfying a we can construct 
an answer set R' of tr'(H) such that sat{t_alpha, 0) G R' . To prove the "if direction 
of the theorem, let us assume that there is an answer set R" of tr' (H) such that R" 
extends R and sat{t_alpha,0) G R". We can show that R" must coincide with R' 
built above. In fact, it can be easily proved that, for all subformulas /3 of a, 

sat{tJ}eta, h) G R" iff satit.beta, h) G R' 

The proof can be done by induction on the structure of /3 (observe that both R' 
and R" extend R, which provides the evaluation of fluent formulas to be used by 
the sat predicate). As R" coincides with i?', if sat{t-alpha,0) G R" then by p2|. 
MR,£\=a. □ 
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Appendix B 

In this appendix wc provide the encoding of BMC and Example [2] in DLV- 
Complex (https://www.mat.unical.it/dlv-coniplex). 

state (0. .#maxint) . 

laststate(N) :- state (N), #maxiiit=N+l . 
y, general rules 

occurs(A,S) :- not ~occurs(A,S) , action(A) ,state(S) ,laststate(L) ,S<=L. 
"occurs (B , S) : - occurs(A,S), action(A) ,state(S) ,action(B) ,A!=B. 

next(S,SN):- state (S), laststate (LS) , S<LS, SN=S+1. 

-next (LS , S) : - laststate (LS) , next (LS , SS) , state (S) , state (SS) , S ! =SS . 
next(LS,S):- laststate (LS) , state (S), S<=LS, not -next(LS,S). 
:- laststate (LS) , next(LS,S), not eq_last(S). 

diff_last(S) :- state (S), S<#maxint, fluent(F), 

holds(F,S), -holds (F, #maxint ) . 
diff_last(S) :- state (S), S<#maxint, fluent(F), 

holds (F, #maxint ) , -holds(F,S). 
eq_last(S):- state (S), S<#maxint, not dif f _last (S) . 

y. The action theory makes use of the predicates: 
y. action(A), fluent(FL), holds (FL, State) 

y evaluation of DLTL formulas 

y makes use of predicate formula(F) 

y true 

sat (true , S) : - state (S). 
y fluents 

sat(F,S):- fluent(F), state(S), holds(F,S). 
y not 

sat (neg (Alpha) , S) : - formula(neg (Alpha) ) , state(S), not sat(Alpha,S) . 
y or 

sat(or(Alphal ,Alpha2) ,S) :- f ormula(or (Alphal ,Alpha2) ) , state (S) , 

sat(Alphal,S) . 

sat (or (Alphal ,Alpha2) ,S) :- f ormula (or (Alphal ,Alpha2) ) , state (S) , 

sat(Alpha2,S) . 
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y, until 

y. An automaton is specified by the predicates 
y trans(Automaton,Ql, Action, Q2) aoid 
y final (Automaton, Q) 

sat (until (Aut.Q, Alpha, Beta) ,S) :- 

formula (until (Aut ,Q, Alpha, Beta) ) , 

f inal(Aut,q) , 

sat (Beta, S) , 

state(S) . 
sat (until (Aut, Q, Alpha, Beta) ,S) :- 

formula (until (Aut , Q , Alpha , Beta) ) , 

sat (Alpha, S) , 

trans (Aut, q, Act, qi) , 

action(Act) , 

occurs (Act , S) , 

next(S,Sl) , 

sat (until (Aut, qi, Alpha, Beta) ,S1) . 



y derived operators and modalities 
y ev (Alpha) means OAlpha 
y diamond (Az , Alpha) means <Az>Alpha 
y box (Az, Alpha) means [Az] Alpha 

sat(and(Alphal ,Alpha2) ,S) :- f ormula(and(Alphal , Alpha2) ) , 
state (S) , 

sat(Alphal,S) , sat (Alpha2 , S) . 

sat(impl(Alphal,Alpha2) ,S) :- f ormula(impl (Alphal , Alpha2) ) , 
state (S) , 

not sat (Alphal, S) . 

sat (impl (Alphal, Alpha2) ,S) :- formula(impl (Alphal ,Alpha2) ) , 
state (S) , 
sat(Alpha2,S) . 

sat (diamond (A, Alpha) ,S) : - f ormula(diamond(A, Alpha) ) , 
action(A) , state(S), 
occurs(A,S) , 
next(S,SN) , 
sat (Alpha, SN) . 

sat (ev(Alpha) ,S) :- f ormula(ev(Alpha) ) , 
state (S) , 
sat (Alpha, S) . 
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sat (ev(Alpha) ,S) :- f ormula(ev(Alpha) ) , 
state (S) , 
next(S,SN) , 
sat (ev (Alpha) ,SN) . 

sat (box (A, Alpha) ,S) :- f ormula(box(A, Alpha) ) , 

action(A) , state(S), actioii(B) , formula (Alpha) , 

occurs(B,S) , 

A!=B. 

sat (box (A, Alpha) ,S) :- f ormula(box(A, Alpha) ) , 
state (S) , 
occurs(A,S) , 
next(S,SN) , 
sat (Alpha, SN) . 

y, the following rules define all subformulas of a given formula 

formula(F):- f ormula(neg(F) ) . 
formula(Fl) :- f ormula(or (Fl ,F2) ) . 
formula(F2) :- f ormula(or (Fl ,F2) ) . 
formula(Fl) :- f ormula(until (Aut ,q ,F1 ,F2) ) . 
formula(F2) :- formula(until(Aut,q,Fl,F2)) . 

formula (until (Aut ,Q1 , Alpha, Bet a) ) : - formula (until (Aut , Q , Alpha, Beta) ) , 

trans (Aut, q, Act, Ql) . 
formula (Fl) :- formula (and (F1,F2)) . 
formula(F2) :- formula (and (Fl ,F2) ) . 
formula(Fl) :- f ormula(impl (Fl ,F2) ) . 
formula(F2) :- f ormula(impl (Fl ,F2) ) . 
formula(F) :- formula (diamond (A, F) ) . 
formula(F):- f ormula(ev(F) ) . 
formula(F):- f ormula(box(A,F) ) . 

°/o Encoding of Example 2 

room(a) . 
room(b) . 

action (begin) . 

action(sense_mail(R)) :- room(R) . 
action(deliver (R) ) : - room(R) . 
action(wait) . 

fluent (mail (R) ) :- room(R) . 
°/o action effects 
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holds (mail (R) ,SN) :- 

room(R) , occurs (sense_mail (R) , S) , SN=S+1, 

not -holds (mail (R) ,SN) . 
-holds (mail (R) ,SN) :- 

room(R), occurs(deliver(R) ,S) , SN=S+1. 

°/ persistency 

holds(F,SN) :- 

holds (F,S) , 
SN=S+1, 

not -holds (F,SN) . 
-holds (F, SN) :- 

~holds(F,S) , 
SN=S+1, 

not holds (F,SN) . 
"/preconditions 

:- occurs (deliver (R) ,S) , -holds (mail (R) ,S) . 
: - occurs (wait , S) , holds (mail (R) , S) . 

"/initial state 

holds (mail (R) ,0) :- room(R) , not -holds (mail (R) , 0) . 
-holds (mail (R) ,0) :- room(R) , not holds (mail (R) , 0) . 

"/ temporal constraints 

f ormula(dismiond(begin,true) ) . 

:- not sat (diamond (begin, true) ,0) . 

formula(neg(ev(neg (box (begin, until (aut ,ql ,true ,true) ) ) ) ) ) . 

trains (aut , ql , sense_mail (a) ,q2) . 
trsins (aut , q2 , sense_mail (b) ,q3) . 
trains (aut, q3, deliver (a) ,q4) . 
trans (aut , q3 , deliver (b) ,q4) . 
trans (aut , qS , wait , q4) . 
trans (aut, q4, begin, q5) . 
final (aut , q5) . 

:- not sat(neg(ev(neg(box(begin, until(aut,ql, true, true))))) ,0) . 
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y, counterexample (negated property) 

formula (ev(neg(impl (mail (b) , ev(neg(mail(b) )))))) . 

:- not sat (ev(neg(impl(mail(b) , ev(neg(mail(b) ) ) ) ) ) ,0) . 
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Appendix C 

In this appendix we report tests of our approach for bounded model check- 
ing of DLTL formulas, in the line of the LTL BMC experiments in section 4 of 
dHeljanko and Niemela 2003[ ). 



In particular, we consider the dining philosophers problems and the LTL formulas 
in section 4 of ( [Heljanko and Niemela 2003 1; the relevant results are in Table 2 of 



that paper, columns Int n and Int s, which provide, respectively, the smallest 
integer such that a counterexample of length n can be found using the interleaving 
semantics, and the time in seconds to find the counterexample. The interleaving 
semantics is the relevant one since in this paper we do not consider concurrent 
actions. 

The general approach of the present paper can be directly mapped to the DLV- 
Complex extension of the DLV system, as shown in Appendix B. However, for a 
fairer comparison with the results in ( [Heljanko and Niemela 2003[ ) , we have tested 
a representation of the dining philosophers problem, and of the LTL formulas to 
be verified, in the DLV system rather than in its DLV-Complex extension. Apart 
from not using parametric fluents and actions, this means that, rather than using 
clauses (in section [7]) such as 

sat{or [Alpha, Beta), S) : ~sat{Alpha, S). 

satior [Alpha, Beta), S) : —sat{Beta, S). 
we provide, given the formula to be verified, a unique name for the formula and all 
its subformulas; and if a formula named gamma is the disjunction alpha V beta of 
formulas named alpha and beta, we provide the clauses: 

sat[gamma, S) : —sat[alpha,S). 

sat[gamma, S) : —sat[beta, S). 
and similarly for other operators. Such clauses can be easily generated automatically 
from the formula to be verified. 

Moreover, we have applied some minor variation of the general approach in sec- 
tion [7] of our paper, such as using DLV built-in predicates. 

Table [T] reports the results obtained on a Dell PowerEdge server with 2 Intel 
Xeon E5520 processors (2.26Ghz, 8M Cache) and 32 Gb of memory. 

Column n is the same as the Int n column in Table 2 of ( [Heljanko and Niemela 2003 ) 



i.e., the smallest integer such that a counterexample of length n can be found. 
Column "boundsmodels" is the analogous of the Int s column in their paper 
(except that we include the result for 12 philosophers); it provides the running 
times in seconds to find a counterexample, running on our machine the code from 



http://www.tcs.hut.fi/kepa/experiments/boundsmodels/ The last column provides 



the running times in seconds to find a counterexample running in DLV the programs 
enclosed. The scalability of the approaches for such problems is similar, and this 
provides some evidence that the approaches have similar practical relevance for 
problems that can be represented easily in both of them. 
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I Problem | 



boundsmodels | TemporalASP-DLV | 



DP(6) 
DP (8) 
DP(IO) 
DP(12) 



8 
10 
12 
14 



0.1 
1.4 
29.1 
7837.1 



0.1 
2.4 
115.7 
13036.2 



Table 1. Dining philosophers results 



